Reports of Active in the Wild Exploitation of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) XSS Vulnerability (CVE-2020-3580)

Description

FortiGuard Labs is aware of reports of new active in-the-wild exploitation of CVE-2020-3580, which is a cross site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, first disclosed in October 2020. These reports occurred after a new proof of concept code for CVE-2020-3580 was published and shared by Positive Technologies on June 24th via Twitter. CVE-2020-3580 is part of series of other disclosed vulnerabilities that are susceptible to the XSS vulnerability, which account for 4 CVEs in total, and they are:

CVE-2020-3580

CVE-2020-3581

CVE-2020-3582

CVE-2020-3583

According to the original October advisory, the vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Is the Proof of Concept Code Published Only for CVE-2020-3580?

Yes.

What Versions of Cisco ASA/FTD Are Affected?

For Cisco ASA, all versions of 9.15 and below are affected.

For CISCO FTD, all versions of 6.70 and below are affected.

For further details and guidance for specific versions, please refer to the Fixed Software section in the "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities" advisory located in the APPENDIX section.

Reported versions affected by CVE-2020-3580 are Cisco ASA Software or FTD Software with a vulnerable AnyConnect or WebVPN configuration.

Are Patches Available for Reported Vulnerabilities by the Vendor?

Patches were available as of October 21, 2020. Please refer to the "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities" advisory in the APPENDIX section for further information.

How Serious of an Issue is This?

CVE-2020-3580 is rated MEDIUM and has a CVSS score of 6.1

Are There Any Reports of Nation State Activity Actively Exploiting CVE-2020-3580?

Not that we are aware of at this time.

How Widespread is this Attack?

Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location.

What is the Status of Coverage?

FortiGuard Labs IPS team has assessed a signature to mitigate against the proof of concept code for feasibility and a signature is currently in testing . We will update this Threat Signal with any relevant information once a signature becomes available.

Any Other Suggested Mitigation?

According to Cisco, it is recommended to apply all available patches from the October 2020 update immediately. According to the advisory, there are no workarounds for this issue. For further details, please refer to the "Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities" advisory in the APPENDIX section.

The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.

Appendix

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities

PTSwarm on Twitter